Exploit kits once again ride Flash Player flaws to attack Windows

Adobe’s Flash Player might be on the way out and exploit kits have taken a backseat to cryptominers, but cybercriminals are still finding ways to harness the potent pairing.

Developers of the once highly active RIG exploit kit have now added the remote code execution in Flash Player — CVE-2018-4878 — that Adobe rushed out a patch for in February. Prior to the patch, the flaw was being used by suspected North Korean hackers to target South Korean users.

The attack works against versions of Flash Player prior to 28.0.0.137, the version Adobe released in February.

Customers of RIG apparently had been complaining that the developers hadn’t yet integrated CVE-2018-4878 as so many rival exploits have already done over the past month.

The Magnitude exploit kit this month added the same Flash exploit to its kit, which typically uses malicious ads to deliver the Magniber ransomware, according to malware researcher Kafeine. Magniber is a fairly new strain of ransomware that shares some features with the better known Cerber ransomware and historically been used to exclusively to target South Korean Windows users.

GreenFlash Sundown, a variant of the Sundown exploit kit, also gained the Flash Player exploit in early March and has been using it to deliver the Hermes 2.1 ransomware to Windows 7 PCs.

Other cybercriminal businesses have hopped on the February Flash exploit too. Security firm Proofpoint found that the makers of the ThreadKit exploit builder program bundled the Flash attack in March, along with a fresh Office exploit identified as CVE-2018-0802.

As Proofpoint noted recently, the ThreadKit tool emerged in mid-2017 and is helping put powerful exploits for widely used software in the hands of low-skilled threat actors.

The group has gained a reputation for quickly incorporating the latest Office exploits into the exploit builder kit.

The wider adoption of this particular Flash exploit followed a massive malicious spam campaign in late February that sought to catch out businesses that hadn't applied the updates.

Researchers at Morphisec found that attackers were spreading several links generated by Google’s now deprecated URL shortener, which if clicked on led users to a Word document that loads a malicious SWF Flash file designed to attack the Flash flaw.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.